OKTA Verify and no cell phone
April 9, 2019 8:43 AM   Subscribe

My company has rolled out mandatory use of OKTA Verify. I don't have a company cell phone, and my personal cell phone is too old to download the OKTA Verify app.

I have suggested the company issue me a phone for this use, but they say it is impossible and we have reached an "impasse". Are there other ways to use OKTA Verify that I could suggest to my IT department? Alternatively, if a cell phone is absolutely the only way, what is the cheapest phone that would work for this purpose (I assume I could get a no-maintenance cost pay-as-you-go SIM for it).
posted by Tandem Affinity to Technology (20 answers total) 2 users marked this as a favorite
Our Okta setup allows you to use a landline or a call in addition to an app. I didnt contemplate this option (i configured it to use my desk phone) but i imagine if it can call my desk it can call your older cell phone?

We dont use the okta app - i get taken to an okta login and prompted for a Google Authenticator code.
posted by Exceptional_Hubris at 8:47 AM on April 9 [1 favorite]

Can your cell phone manage the google authenticator app? We use OKTA for SSO at my job and some people use the OKTA Verify app, some people use google authenticator. I personally use google authenticator.
posted by phunniemee at 8:49 AM on April 9 [2 favorites]

The customer forums suggest either a TOTP app (like Google authenticator) or have your IT dept give non-phone users Yubikeys.
posted by xingcat at 8:49 AM on April 9 [2 favorites]

Okta can send text messages and I believe it was on the road map for Okta to make phones calls as well. The IT organization where you work needs to work with the security organization where you work to make the determination if sending text messages is okay or not in your workplace.

For reference: I am a principal security architect who has been specifying security policies and secure configurations for Okta for 6 years across two large multinational companies. This is a solvable problem, your IT team needs direction from the security team as to what's allowable. This impasse most likely comes down a single hardass in the security organization who has read on the internet that text messages are a bad multi-factor option (and they are mostly right) so they have outright banned it without first realizing that not everyone lives in a technotopia of the latest gadgetry. Honestly those kinds of security people irritate the shit out of me (sorry for editorializing I do this for a living and I'm passionate about security organizations thinking about UX and how people actually live their lives instead of always making prescriptive assumptions for how everyone must live with technology).
posted by nikaspark at 8:53 AM on April 9 [18 favorites]

You most likely don't even need a phone with a plan. Any old Android that can run Google Authenticator should do.
posted by MonsieurBon at 8:53 AM on April 9

What is your personal cell phone?

+1 to using Google Authenticator (which runs on older phones).

Failing that, do you have access to 1Password on your computer(s)? If so, that can handle the Okta Verify authentication too.
posted by caek at 9:00 AM on April 9

You don't even need a phone with wifi. Google Authenticator just needs the clock to be fairly accurate- once you have the app installed and initialized, it will generate new codes based on the time. It doesn't need network access at all.
posted by BungaDunga at 9:01 AM on April 9

It seems like my IT department makes the decision on whether to allow landline (call) authentication or Google Authenticator, and they are not allowing that (please let me know if my understanding is incorrect and I could do these things somehow). The only option given in the setup directions is the Okta Verify App.

So I guess my question on cheap phones are those that can run the OKTA Verify specifically. I know nothing of android or google phones.

[Thank for editorializing - I am getting a lot of shade for not having a better phone, when the phone works perfectly well for my personal use. I have an iPhone 6. It is limping a little and I don't want to stress it further by doing an OS upgrade.]

I will try the 1Password when I get home. /ironically, we are not allowed to download apps while on the company wifi. Which I get. But then why require download of an app?/
posted by Tandem Affinity at 9:07 AM on April 9

An iPhone 6 is not that old; I have one, and it's perfectly capable of running the current OS. It is a little silly to jump through all of these hoops, if upgrading to the current OS will work.
posted by acidic at 9:19 AM on April 9 [10 favorites]

as a security professional I would highly recommend upgrading to the latest OS your phone supports, there are some very serious security flaws in the older iOS software, and from what I understand, the newer OS's aren't as cpu-taxing as one might imagine.
posted by nikaspark at 9:20 AM on April 9 [11 favorites]

I'd consider getting a cheap burner phone that's running Android 4.4 or newer, which appears to be the minimum for Okta Verify at current. Shop sales at Target/Walmart etc. and read the fine print so you're not committing to buy minutes-- this will be a wifi-only affair at best.

A few years ago, there was an android vulnerability called Stagefright, and my friends at Amazon weren't allowed to get their Android personal phones on the company network, so they bought burner windows phones for $50-70, no minutes, and could carry those at work to keep their personal email handy for the year it took for them to get upgraded away from Stagefright.

I already carry two phones, one work, one home, and it's not bad.
posted by Sunburnt at 9:48 AM on April 9

Your phone is not old. You should upgrade the operating system. The current version of iOS makes older phones faster. It also has significant security patches. You're running a dangerously insecure operating system. Once you do, install Okta Verify or Google Authenticator.
posted by caek at 9:57 AM on April 9 [3 favorites]

Honestly, if your personal phone doesn't support it, your IT dept needs to buy you something that does. end of story. Nobody ever seems to have an issue with paying sales people's full cell bill, they can cough up for a bottom rung android phone. Saying they they "can't" is dishonest and lazy. there's always a way.
posted by Dr. Twist at 9:57 AM on April 9 [8 favorites]

Original question is based on bad data, "my personal cell phone is too old to download the OKTA Verify app".
Your iPhone 6 is not too old. Upgrade your OS and install the OKTA Verify app.
posted by w0mbat at 10:04 AM on April 9 [4 favorites]

There are physical hard tokens available where you press a button to generate a one-time code, if they're willing to getting you one of those.
posted by eponym at 11:55 AM on April 9 [1 favorite]

I have an iPhone 6S, and have no problem with the current OS. It runs the okta verify app. But that's not exactly your question.

I have a colleague that refuses to put any work-related apps on her phone (which I completely respect), so IT gave her a dongle that provides the verification code needed when logging in. Your company should provide something similar to you. Just because everybody else is using their personal equipment to access company data doesn't mean you need to.
posted by queensissy at 11:55 AM on April 9 [2 favorites]

You may want to ask them what happens when someone loses their phone. Not having a text or phone call back up is a bad idea.
posted by soelo at 1:31 PM on April 9

They want to use your personal property for their business? What's next, they require you use your car to deliver things? Tell IT they're being un-professional; stand tall; it's their problem and they know it; make them own it.

- person who's phone is way older than an iPhone 6.
posted by at at 3:04 PM on April 9 [3 favorites]

I'd push back hard against, "you must use your personal phone for company business." Ask if you can get a cheap phone, no-minutes, that's compliant and expense it.

...If they require you to download the app away from the office (because you can't download them at work), that's time at work; if you're hourly-not-salary, it's billable time.
posted by ErisLordFreedom at 5:30 PM on April 9 [2 favorites]

« Older Help me experience European football   |   What to read after The Goblin Emperor? Newer »

You are not logged in, either login or create an account to post comments